Atmosphere 2021

last person joined: 3 days ago 

Expand all | Collapse all

Deliver Seamless and Secure Remote Access in the Hybrid Workplace

This thread has been viewed 41 times
  • 1.  Deliver Seamless and Secure Remote Access in the Hybrid Workplace

    Posted Apr 21, 2021 11:03 AM
    I have a few question about IAPs.

    • 1. With layer 3 IAPs the presentation says the IAP would be the DHCP server.  
    •      -Is there an option for a help address?
    •      -If not and assuming I have 600+ IAPs would each IAP need dedicated subnets for Corp and Guest networks "per IAP" or can every IAP have the same subnets assigned and there is some sort of NAT trick in the background? 

    2.  Central questions:
         -Do IAPs work with OnPrem Central and if so do I need a leg in the DMZ for this to work?
         -I am not cloud savvy.  I hear them say in the presentation that Aruba Central is supported in AWS or Azure.  Is that a device I spin up in our cloud services or is that something Aruba already has setup and I subscribe to that one? 
         -Am I correct in saying that Cloud Central pushes all the config to the IAP but is not part of the users/clients dataflow?  I have VPNC devices so some how Central or the IAP must have a tunnel to the VPNC.  Which is it?

    3. IAP General
         -Are IAPs capable of supporting 20+ user roles, 3 SSIDs and long complicated ACLs?  (essentially the same as my campus controllers)
         -I have a large RAP deployment today.   We have issues with heartbeats and bootstraps.  Are the IAPs as sensitive to network issues as the RAPs and do they bootstrap?

    THANK YOU! 
    Alan 


    ------------------------------
    Alan Scott
    ------------------------------


  • 2.  RE: Deliver Seamless and Secure Remote Access in the Hybrid Workplace

    Posted Apr 22, 2021 05:49 PM

    With distributed layer 3 mode of IAP VPN deployment, the subnet pool is configured on the VPNC. This overall subnet pool is then divided and automatically assigned to each of the APs by the VPNC using the number of devices expected at each branch as an input. The IAP-VPN solution guide available at the link below provides additional details on this.

    https://asp.arubanetworks.com/downloads/documents/RmlsZTo5MDJhNTZlZS02ZDdlLTExZWEtYjkxZi1iN2RmYWY0MmEyMmY%3D

    Helper address for layer 3 tunnels is currently not supported, but is being evaluated as part of the roadmap.

     

    Central On Prem (COP) supports IAP deployment and management. Central/COP provides management but no client traffic goes through it. Instead, client traffic is tunneled from the IAP to the VPNC. The management plane between IAP and Central goes over HTTPS and need not be tunneled. You are correct in your understanding – Central provides configuration and monitoring of the deployments, but the user traffic does not reach Central. Aruba already offers Central in AWS and Azure, you just need to subscribe to the service available through the public instance in the cloud.

     

    IAP certainly does support more than 20 user roles, several SSIDs and a large number of ACLs. However, in the distributed architecture of IAP without a dedicated hardware controller, some of the scale parameters are somewhat limited when compared to AOS/controller based solution. One of the advantage of IAP's distributed architecture is that the IAPs are more self-reliant individually and perform much of the processing and policy enforcement at each of the APs. Consequently, some of the issues you may have experienced in the RAP architecture may not be a concern in IAP VPN architecture.

     

    I am sure your account team will be happy to assist you in confirming that your existing configuration and scale can be supported with IAP-VPN solution. We would also want to work with you to understand the bootstrap issues you mentioned and their applicability to IAP VPN architecture.



    ------------------------------
    Prince Samar
    ------------------------------



  • 3.  RE: Deliver Seamless and Secure Remote Access in the Hybrid Workplace

    Posted Apr 22, 2021 05:49 PM
    (deleting duplicate post)


  • 4.  RE: Deliver Seamless and Secure Remote Access in the Hybrid Workplace

    Posted Apr 22, 2021 05:49 PM

    (deleting duplicate post)



  • 5.  RE: Deliver Seamless and Secure Remote Access in the Hybrid Workplace

    Posted Apr 22, 2021 05:49 PM

    (deleting duplicate post)